This is something that I have been thinking about quite often. Currently, when it comes to training co-workers about the dangers of malicious emails, the general consensus seems be that we need to keep them ‘on their toes’ so to speak, by sending out emails that look like, but are not actual Phishing emails.
These are usually sent out randomly, but quite often and randomly, to try and gauge the risk when a legitimate malicious email ends up getting delivered to the mailbox.
Now depending on how well resourced the Cybersecurity Teams are in a organisation, these tests end up being automated in a ‘set and forget’ fashion. The results are usually quickly glanced at and if an interaction has been carried out by the recipient, they are either put on a training course on how to spot these sorts of emails and potentially their manager is informed. This will depend on an organisation by organisation case and your milage may vary.
To illustrate, lets picture a scenario. A colleague in a department gets one of these test emails and clicks on a link. Once they click on it, they will most likely receive a message to say that they have clicked on a test malicious email and now they will have to be enrolled in additional training. Their Manager might get in touch to reiterate the point that they should be more careful when working with emails. The Cybersecurity Team will also likely send a reminder on how to spot these sorts of emails and may increase the frequency of test malicious emails to anyone who ‘failed’ these tests.
At this point, the co-worker is probably going to feel upset that they have potentially been unfairly tricked by the Cybersecurity Team and its turned into, potentially, something stressful as they may have to speak to their Manager about it and been enrolled into additional training. Perhaps even disappointment as they feel they have let the side down.
The Cybersecurity Teams will also need to manage the additional workload on triaging these test emails and correlate metrics to work out the risk at that given point.
Additionally, the constant frequency of these tests and potentially the same variation will mean fatigue is going to set in. Most will no longer report these test emails and may get used to the particular characteristics of these test emails, whilst potentially missing legitimate ones. After all, there are only so many sending domains that can be used for conducting tests and with under resourced Cybersecurity departments, not a lot of time is going to dedicated to constantly update the different tactics used by malicious actors.
On the other side of the fence, other co-workers will increase the amount of legitimate emails being flagged as malicious, which is turn places a bigger burden on Cybersecurity Teams. With automation, if an email is falsely identified, it email will be automatically Quarantined and will need to be removed from Quarantine.
This leads me to a post I came across recently from the Google Security Blog:
As noted in the Blog, Phishing remains one of the top attack vectors despite the increased effort in training users and constant testing against malicious emails.
So do these constant tests work in protecting an organisation? Well, there definitely is a place for conducting these tests but we do need a different approach. Rather than trying to surprise co-workers with these tests, we should use them as learning opportunities and encourage them to report an email that does not feel ‘right’.
Educate co-workers what to look out for and how to report malicious emails correctly. Foster a culture of understanding and openness as it is not going to be possible to achieve 100% success rates against malicious emails. Cybersecurity Teams are not out to ‘get you’ and would rather be informed about a malicious email so they are in a better position to deal with it than fostering a culture of fear about whether an email should be reported.
